Adding new WAN Connection - Ping Yes, Use No



  • I am adding a second WAN port (Verizon connection) to an existing PFSense installation.

    The Network looks like this:

    173.xxx.xxx.133
                      _____________
    173.xxx.xxx.134  |            |
    –-- Comcast ---- | em0        |                    ____________________
                      |            |                    |                    |
                      | pfsense  em1|-------- LAN -------| PC @ 192.168.1.135 |
                      |            | 192.168.1.1        |____________________|
    ---- Verizon ---- | ue0        |
    10.1.1.1          |_____________|
                      10.1.1.10

    1. I have my interface and gateway added and routes to allow traffic. The gateway monitor for the new interface is set to 8.8.4.4 and shows green on Status –> Gateways page.

    2. I can ping from the LAN side all the way to the GW 10.1.1.1 address, but I can't get webGUI of the gateway router connected there.

    3. If I move my PC to the 10.1.1.x network I can log into the webGUI.

    What am I missing in my config?  What would you look at/for?

    Thanks,

    a very frustrated padapa



  • are you missing NAT on the new wan?



  • I would think if NAT wasn't working, I wouldn't be able to ping the 10.1.1.1 gateway address???

    Applied to the LAN interface I have a new rule that looks like this:
    https://www.dropbox.com/s/b1f260jxswvlzbm/Firewall%20-%20Rule%20-%20LAN%202015-11-06%20at%2012.55.56%20PM.png?dl=0

    and in the outbound NAT setting I have this:

    https://www.dropbox.com/s/ld5j8a757oscfqv/Nat%20-%20Outbound%202015-11-06%20at%2012.53.59%20PM.png?dl=0

    I am preparing to send all 166.0.0.0 traffic out the new port, once it's working.

    Heper, what else can I show you so you can help me see the issue?

    padapa



  • @heper:

    are you missing NAT on the new wan?

    So where do I check that?

    BTW… I can ping out to the next IP interface on the front of the Verizon path (10.10.1.1), but can't see it's webgui either??? >:(

    If I do a traceroute to a public address like 166.xxx.xxx.125 it fails to see beyond the path to 10.1.1.1 and 10.10.1.1... like this:

    traceroute 166.xxx.xxx.125
    traceroute to 166.xxx.xxx.125 (166.xxx.xxx.125), 64 hops max, 52 byte packets
    1  10.1.1.1 (10.1.1.1)  3.967 ms  3.045 ms  3.038 ms
    2  10.10.1.1 (10.10.1.1)  9.783 ms  4.958 ms  4.836 ms
    3  * * *
    4  * * *
    5  * * *

    If I traceroute on the Verizon interface, I see the following:  (So I know the outbound path is working correctly.)

    traceroute 166.xxx.xxx.125
    traceroute to 166.xxx.xxx.125 (166.xxx.xxx.125), 64 hops max, 52 byte packets
    1  my.jetpack (10.10.1.1)  144.029 ms *  3.016 ms
    241.sub-66-174-12.myvzw.com (66.174.12.241)  47.605 ms  40.756 ms  39.191 ms
    244.sub-69-83-28.myvzw.com (69.83.28.244)  35.273 ms  44.141 ms  36.294 ms
    17.sub-69-83-28.myvzw.com (69.83.28.17)  41.110 ms  37.837 ms  46.419 ms
    170.sub-69-83-28.myvzw.com (69.83.28.170)  33.923 ms  37.562 ms  30.134 ms

    Any more ideas?

    padapa



  • I was checkin the system logs and found this:  kernel: arpresolve: can't allocate llinfo for 10.1.1.1 on ue0

    ue0 is my new wireless WAN connection.  It is a USB to Ethernet adapter…

    I can ping all the way out to public addresses, but I still can't use port 80/443 for webGUI access to anything?

    Any Ideas??? Anyone!



  • You need an additional outbound NAT rule to get traffic for the gateway router UI originating from the correct subnet.

    | Interface: | USB_VZN_WWAN |
    | Protocol: | any |
    | Source: | any |
    | Destination: | Network: 10.1.1.1/32, Port:<leave blank=""></leave> |
    | Translation: | Address: Interface address, Port: <leave blank="">, Static port:</leave> |

    You might have to make this rule higher priority (i.e. above) the automatically created rule to get everything working correctly.


Log in to reply